Help with debugging a potential rate limit error

[tipswithpunch]

Hi Peter,

I’ve built a tool to help people on GoDaddy shared hosting to get an SSL certificate for free, just by filling a few fields on my website. Here is the tool: https://punchsalad.com/ssl-certificate-generator/ .

The tool is built on top of yaac, which in most cases works great! Once I went live with the tool I started to have issues where people are not able to get verification files for http-01 although their details (domains & email) are correct. I’m able to reproduce the issue from time to time.

It seems the issues happens when a "new client" is created in the code, so at this stage: $client = new Client([ 'username' => $emailAddress, 'fs' => $filesystem, 'mode' => Client::MODE_LIVE, ]);

And the whole code fails and I get a response code of 500. Then after 30-60 mins, it works again without any issue. Also, it seems to happen more often when there are many users using the tool in a short period of time (within 30mins or so).

I’m not able to debug this as I’m not sure which rate limit I’m hitting and there is no error status. I think it’s either “too many failed authorizations recently” or “too many registrations for this IP”. For the second I’m not sure I’m hitting that limit of 10 accounts per 3 hours. But also I have no way of validating this.

Can you please point me in the right direction to debug this issue?

Thanks, Robert

[bakkerpeter]

Thanks for reporting, Friday I'll look into this

[RohirNaik]

Agree, i tried his tool also wildcard certificates cannot be created.

[bakkerpeter]

@RohirNaik Please stop cross-posting your issue https://github.com/afosto/yaac/issues/23

[bakkerpeter]

@tipswithpunch sorry, I have not found time yet to look into this.

[tipswithpunch]

@bakkerpeter No worries buddy. Also, I'm not sure you will be able to reproduce the issue easily.

What would be helpful if you could point me in the right direction? I can't figure out, which of the calls that YAAC makes should return the rate limit if it's hit. I tried to debug it but just can't find the right one.

[bakkerpeter]

Based on your usecase, my guess is that you are hitting the account create rate limit.

So that would be when constructing the Client.

Maybe if you try to instantiate with differing emailadresses you could reproduce it?

Either way, these issues should be easier to find so maybe we need to look at a smarter way to log what's going on.

Thanks!

Op ma 20 jul. 2020 21:51 schreef tipswithpunch notifications@github.com:

@bakkerpeter https://github.com/bakkerpeter No worries buddy. Also, I'm not sure you will be able to reproduce the issue easily.

What would be helpful if you could point me in the right direction? I can't figure out, which of the calls that YAAC makes should return the rate limit if it's hit. I tried to debug it but just can't find the right one.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/afosto/yaac/issues/22#issuecomment-661298773, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFROB2DHVS57CTPER6QFOM3R4SN45ANCNFSM4OZ5RBMQ .

[tipswithpunch]

The users enter their own emails when they use the tool. It's possible that some users create multiple SSLs for different domains.

Do you think it would work better if I use one email address for all the requests?

[bakkerpeter]

Not sure, this might provide some direction: https://letsencrypt.org/docs/integration-guide/#one-account-or-many

We followed this advice (one account) in our own software as well.

Op ma 20 jul. 2020 22:15 schreef tipswithpunch notifications@github.com:

The users enter their own emails when they use the tool. It's possible that some users create multiple SSLs for different domains.

Do you think it would work better if I use one email address for all the requests?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/afosto/yaac/issues/22#issuecomment-661310055, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFROB2BNVT5XGARQNWCKFNDR4SQXNANCNFSM4OZ5RBMQ .

[tipswithpunch]

Thanks Peter, I'll give that I try.

[tipswithpunch]

Hi Peter, just wanted to thank you for the tip. One account approach solved most of the issues. So from my side, you can close the ticket. Unless you want to add the error status codes. Thanks a lot for your help!

[bakkerpeter]

Cool, thanks for the feedback